Privacy Policy

Effective Date: March 13, 2026

At Rewi, we believe that financial privacy is a fundamental human right. Our "Local-First" architecture ensures that your sensitive data remains under your absolute control.

Privacy by Design

Rewi is engineered so that your financial information never leaves your device. We do not operate a centralized database for your subscription data.

1. Data Architecture & Sovereignty

Decentralized Storage

Rewi is built on a "Local-First" architecture. Unlike traditional financial trackers, your subscription data is never transmitted to or stored on a central server. Your financial profile—including costs, billing cycles, and payment methods—resides exclusively within an encrypted SQLite database on your physical device.

Zero-Knowledge Principle

We operate under a "Zero-Knowledge" framework. Because we do not provide a cloud-sync service for your subscription data, we have no technical means to access, view, or decrypt your financial records.

Manual Data Entry (Air-Gapped Privacy)

To ensure maximum security, Rewi does not utilize "Bank Linking" or third-party data aggregators (like Plaid). You retain 100% control over the information entered, ensuring your bank login credentials never touch our software or any intermediary.

2. Information Collection & Data Processing

We distinguish between the Financial Data you manage and the System Data required to run the app.

A. Managed Data (We NEVER Collect)

We do not collect, "phone home," or aggregate any data related to:

Subscription Identity: Which services you use (e.g., Netflix, Spotify, Gym memberships).
Spending Intelligence: Your total monthly spend, average cost per category, or budget limits.
Audit Insights: Any conclusions or scores generated by the "Audit Engine."

B. Technical & Transactional Data

To provide a stable and premium experience, we process a limited set of non-sensitive data points:

Anonymous Telemetry: We use industry-standard tools (Google Play Services / Apple App Store Connect) for anonymized crash reporting. This includes device model and OS version.
Premium Subscription Management: For Rewi Pro users, we utilize RevenueCat to validate purchase receipts. This service only sees that you purchased Pro, not your internal app data.
Dynamic Asset Fetching: The app may request service logos from public APIs. This request contains only the domain name (e.g., adobe.com) and no user-identifiable metadata.

3. Third-Party Service Providers

We minimize data exposure by utilizing Anonymous Identifiers whenever possible.

RevenueCat: Manages entitlements. They do not have access to your bank details or subscription list.
Firebase Crashlytics / App Store Connect: Used strictly for debugging fatal errors. We do not use these for behavioral tracking or advertising.
Favicon APIs: Fetches service logos via domain-only requests.

4. Security Architecture & Data Protection

Localized Data Environment

Rewi Vault operates as an offline-first application. Your data is stored within a private, sandboxed environment on your device. This means your subscription data, costs, and personal notes are never transmitted to our servers or stored in the cloud.

Device-Level Security

The security of your Rewi Vault data relies on your device's native security settings. We strongly recommend using a secure lock screen (PIN, Pattern, or Password) and ensuring your device's storage encryption is active at the OS level to protect your local data from unauthorized physical access.

Secure Status Verification

While your personal vault remains offline, Rewi Vault may use secure TLS 1.3 (SSL) connections for the sole purpose of verifying "Pro" license status through the Google Play Store billing API. No personal subscription data is shared during this handshake.

User Sovereignty & Backups

Because Rewi does not keep "Cloud Backups," we cannot reset your password or recover your data if you lose your device. We provide a Manual Export tool (JSON/CSV) within the app settings for you to maintain your own backups.

5. Data Subject Rights

In alignment with GDPR and CCPA/CPRA, you are the primary custodian of your data:

Right to Access & Portability: Export your entire database via Settings > Data Management.
Right to Rectification: Modify or update any entry within the app immediately.
Right to Erasure: Deleting the app or using "Clear All Data" purges all information permanently.
Right to Object: Opt-out of anonymous telemetry via system-level privacy settings.

6. Policy Governance

Transparency: Significant changes will be highlighted in the "Version History" of the App Store/Play Store.
Immutable Core: Our commitment to Local-First Storage is a core technical principle that will not change.
Continued Use: Use of the app after an update constitutes agreement to the revised policy.

7. Children’s Privacy

Age Requirement: Users must be at least 13 years of age.
Zero-Targeting: We do not build advertising profiles or track user behavior, ensuring a safe environment for all users.

8. Legal & Contact

Global Accessibility

Your data remains in the country where your device is located. We do not "transfer" subscription data across borders.

Contact Information

Data Controller: Subszi (Nebro)
Privacy Inquiries: washenafik@gmail.com
Legal Address: Available upon request for legal service.

1. Data Architecture & Sovereignty​

Decentralized Storage​

Zero-Knowledge Principle​

Manual Data Entry (Air-Gapped Privacy)​

2. Information Collection & Data Processing​

A. Managed Data (We NEVER Collect)​

B. Technical & Transactional Data​

3. Third-Party Service Providers​

4. Security Architecture & Data Protection​

Localized Data Environment​

Device-Level Security​

Secure Status Verification​

5. Data Subject Rights​

6. Policy Governance​

7. Children’s Privacy​

8. Legal & Contact​

Global Accessibility​

Contact Information​